IDSM with shun on FWSM

ibrahim_hassan · ‎07-05-2012

Hi,

we have IDSM configured to block (shun) for some signatures with FWSM.

when sig 3002 is fired , the attacker is shun by FWSM but the issue is sig 3001 is fired and shun the victim which is internal normal user.

any suggestions,

Maykol Rojas · ‎07-10-2012

Hello,

Can you paste the event here? When the signature is fired?

Mike

ibrahim_hassan · ‎07-15-2012

the sig 3002 fire based on port scan from attacker (test) and then the sig 3001 fire on victim.

i need to know how can i make FWSM shun the connection only not the host , i tried to set the event action to "block conection" instead of "block host" but it didn't work.

Julio Carvajal · ‎07-15-2012

Hello Ibrahim,

As Maykol said can you paste the event here, we will like to see all the details, Also you are telling us you removed the action for deny attacker inline and add it deny connection inline, apply it and nothing happens? Right?

Please paste the event,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

ibrahim_hassan · ‎07-16-2012

no it is IDS not inline , i changed the action from "block host" to "block coneection" to make "shun" on FWSM for this connection instead of shun all connections for this host.

Severity

Date

Time

Device

Sig. Name

Sig. ID

Attacker IP

Victim IP

Actions Taken

Vicitm Port

Threat Rating

Risk Rating

Reputation

medium

7/3/2012

14:03:12

BB2-IDSM

TCP Port Sweep

3001/0

Y

X

shunRequested, blockConnectionRequested

60767

65

85

medium

7/3/2012

14:06:54

BB2-IDSM

TCP Port Sweep

3001/0

y

x

shunRequested, blockConnectionRequested

39992

65

85

medium

7/3/2012

14:07:04

BB2-IDSM

TCP Port Sweep

3001/0

y

x

shunRequested, blockConnectionRequested

54653

65

85

medium

7/3/2012

14:07:19

BB2-IDSM

TCP Port Sweep

3001/0

y

x

shunRequested, blockConnectionRequested

58554

65

85

medium

7/3/2012

14:08:14

BB2-IDSM

TCP Source Port 0

24199/0

10.20.30.25

x

40219

85

Severity

Date

Time

Device

Sig. Name

Sig. ID

Attacker IP

Victim IP

Actions Taken

Vicitm Port

Threat Rating

Risk Rating

Reputation

low

7/3/2012

14:03:12

BB2-IDSM

TCP SYN Port Sweep

3002/0

X

Y

shunRequested, blockConnectionRequested

32

52

low

7/3/2012

14:06:53

BB2-IDSM

TCP SYN Port Sweep

3002/0

x

Y

shunRequested, blockConnectionRequested

32

52

low

7/3/2012

14:07:03

BB2-IDSM

TCP SYN Port Sweep

3002/0

x

y

shunRequested, blockConnectionRequested

32

52

low

7/3/2012

14:07:19

BB2-IDSM

TCP SYN Port Sweep

3002/0

x

Y

shunRequested, blockConnectionRequested

32

52

high

7/3/2012

14:07:30

BB2-IDSM

VxWorks Remote Debug Interface

28779/0

x

Y

shunRequested, blockConnectionRequested

17185

60

80

high

7/3/2012

14:07:47

BB2-IDSM

Nmap UDP Port Sweep

4003/0

x

Y

shunRequested, blockConnectionRequested

55

75

high

7/3/2012

14:08:34

BB2-IDSM

Nmap UDP Port Sweep

4003/0

x

Y

shunRequested, blockConnectionRequested

55

75

high

7/3/2012

14:11:10

BB2-IDSM

ICMP Network Sweep w/Timestamp

2101/0

x

Y

shunRequested, denyPacketRequestedNotPerformed, blockConnectionRequested

80

100

high

7/3/2012

14:12:12

BB2-IDSM

ICMP Network Sweep w/Address Mask

2102/0

x

y

shunRequested, denyPacketRequestedNotPerformed, blockConnectionRequested

80

100

Julio Carvajal · ‎07-16-2012

Hello Ibrahim,

I would say it is being denied due to an event action override ( see the high Risk rating)

Is it a possibility to unassigned the signature, retired it and then put it back on one more time.

Can you let us know what are the actions assigned to this signature over the signature policy?

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

ibrahim_hassan · ‎07-22-2012

Hello Jcarvaja,

i need to confirm that if i configured this signature to "block connection" , the FWSM will shun connection only.

the case is the FWSM shun host so it will deny all traffic from this host.